Transcript of "Honeywords - BSides London 2014"

2.
whoami
Gavin Holt (@GavinHolt)
Fourth Year Honours Student at Abertay University
One of the organisers of Securi-Tay 3
Vice President of Abertay Ethical Hacking Society (@AbertayHackers)

3.
What are we covering today?
Why is password theft so dangerous?
How are passwords currently being stored? (The good, the bad and the plain
stupid)
What are Honeywords?
How Honeywords can be implemented
The benefits of Honeywords
What Honeywords won’t save you from
Summary
Questions

37.
How do we make Honeywords?
We need believable words
We need some low hanging fruit
We need some tough passwords
We need to ensure we don’t use the users PW
We need to be able to identify HoneyWords internally!

38.
How do we make Honeywords?
Start with a dictionary
Select a handful of words of varying length
Depending on how hard we want to make the password to crack we can:
Mangle for Upper and Lower Case
Prepend and Append numbers
Substitute Symbols
Concatenate Words
Make sure it doesn’t make our users PW!

39.
How do we make Honeywords?
We need to make a correct Checksum for our users password
We also need to make some fake checksums for the honeywords we have
generated

56.
The benefits of Honeywords
Can be used to detect password theft
Can be used to prevent the usage of stolen credentials
Can provide warnings to other services that users may reuse passwords on
Can be used to deter attackers from trying to compromise accounts

58.
What Honeywords won’t do
Honeywords won’t stop your service being compromised
If they have your Password file, you have problems to begin with
Honeywords won’t stop the hashes from being cracked
Only per hash salting and intensive hashing functions will slow that down
Honeywords won’t stop attackers from gaining a users password by another
method
Social Engineering, Key Logger, or simply guessing a rubbish password

59.
Honeywords are not a replacement
to a strong password policy and
user awareness

60.
In Summary
Honeywords allow for detectable password theft by seeding a database with
known “wrong” passwords.
Watching for these passwords allows Systems to detect when they have had
their password DB stolen.
Honeywords should be of varying difficulty in order to disguise themselves
Honeywords are not a replacement for:
A strong password policy
A strong password storage mechanism
End Point Security